AD Connector MFA Setup Completed but AD Connector not sending RADIUS

Question

I have had an AD Connector set up for some time with no issue.  This is being used by AWS Client VPN. We are now enabling MFA on this service.  
  
I am using DUO Auth_Proxy for RADIUS - it is only handling secondary authentication with primary auth being handled by AD.  
  
I have enabled MFA on the directory service and it completes successfully, and in the RADIUS logs I do see that the awsfaketestuser attempts to connect.  
  
However when attempting to connect the client VPN the secondary authentication challenge never reaches the RADIUS server.  I have tested that it is working correctly by standing up an EC2 instance in the same security group and subnet as the AWS directory endpoints - and the challenge does go to the RADIUS server as expected and is logged. Just the AWS AD Connector doesn't appear to be sending challenges.  
  
I have also set this up successfully in a separate environment. It just seems as though the AD Connector (Directory) is not forwarding the challenge to the RADIUS server. Oh, and the Open VPN configuration on the client HAS been updated with the static-challenge.  
  
I have confirmed with DUO that the solution is configured correctly.   
  
I am really scratching my head over this one. Any ideas?

jguidali · Answer

The issue ended up being with the ovpn file downloaded from AWS. I downloaded it again from the self-service portal and it worked as expected. Comparing the first and second file, the section for the static-challenge was in the wrong section in the first file. I'm not sure why that would have been the case as they were both downloaded from AWS - the first from the VPN configuration page and the second from the Self-Service portal.   
  
Also, if anyone else runs into this, you can use the self-service portal to verify that MFA is working properly as an alternative to the clunky OpenVPN client.

AD Connector MFA Setup Completed but AD Connector not sending RADIUS

Relevant content